Oracle issued an emergency patch for a vulnerability in Oracle Identity Manager, the flaw tracked as CVE-2017-10151 was rated 10 in severity on the CVSS scale.
“This Security Alert addresses CVE-2017-10151, a vulnerability affecting Oracle Identity Manager. This vulnerability has a CVSS v3 base score of 10.0, and can result in complete compromise of Oracle Identity Manager via an unauthenticated network attack.” states the security advisory published by Oracle.
The vulnerability could be exploited by an unauthenticated attacker to remotely take over the software.
“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager. While the vulnerability is in Oracle Identity Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Identity Manager.” states the advisory published on NIST’s National Vulnerability Database.
Oracle Identity Manager belongs the Oracle Fusion Middleware suite of web-based services, it manages user access privileges to enterprise resources and tasks.
The flaw affects the 22.214.171.124, 126.96.36.199, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0 and 18.104.22.168.0 versions.
The vulnerability is very easy to exploit and should be addressed immediately.
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay,” continues the Oracle advisory. Oracle said.
“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.”
This emergency patch comes after the recently released Oracle October CPU that addressed a total of 252 security vulnerabilities that affect multiple products, including 38 issued in the Fusion Middleware.
Most of the vulnerabilities fixed by Oracle could be remotely exploitable without authentication.
The October CPU was the last Oracle Critical Patch Update of 2017, this year the tech giant already resolved 1119 vulnerabilities, or 22% more than in 2016.
(Security Affairs – Oracle emergency patch, CVE-2017-10151)